UserZoom’s SaaS Delivery Services
Overview
UserZoom’s SaaS Delivery Services comprise the complete set-up, delivery and administration of the Ordered Software Services on servers operated and maintained by or at the direction of UserZoom. UserZoom will set up, manage, monitor, tune, and react to all aspects of the Ordered Software Services, including Customer Content, databases, network, servers, security components, internet links, etc. By managing all these services, Customer can access the Ordered Software Services via a secured connection from a web browser. UserZoom may delegate the performance of certain portions of the SaaS Delivery Services to third parties, provided UserZoom remains responsible to Customer for the delivery of the Ordered Software Services. Capitalized terms used but not defined in this SaaS Delivery Services Exhibit shall have the meanings given to them in the Agreement.
Security
UserZoom operates an information security program designed to protect Customer Content utilizing industry standard policies and technologies. UserZoom takes appropriate measures to protect the Ordered Software Services against “hackers” and others who may seek to modify the Ordered Software Services or the data therein without the consent of UserZoom or Customer, and to correct each Ordered Software Service to its original form in the event that it is modified without UserZoom's consent. UserZoom tests code for potential areas where security could be breached.
Data Centers and Physical Security
The equipment hosting the Software is located in one or more secure, fault-tolerant, seismically-compliant data centers (each, a “Data Center”). Physical access to each Data Center is restricted and controlled by access lists held by the collocation facility’s security department. Multiple forms of authentication are required to access each facility. Each Data Center is equipped with fire, water, and heat detection and protection systems. As of the Effective Date, UserZoom uses the following hosting service providers for the Ordered Software Services:
For Ordered Software Services hosted in the United States, UserZoom uses Amazon Web Services (“AWS”), currently located in Virginia and northern California. Data Center certifications include SSAE 16 - SOC2, ISO 9001, ISO 14001, ISO-IEC 27001, OHSAS 18001, Safe Harbor Self-Certification and CDSA Certification.
For Ordered Software Services hosted outside of the United States, UserZoom uses Amazon Web Services ("AWS"), currently located in Ireland. Europe based Data Centers certifications include SSAE 16 - SOC2, ISO-IEC 27001, BS7799, ISO 9000:2001 and ISO 14001.
Application Security
- All UserZoom application traffic traverses the Internet via encrypted channels and only communicates to the outside through HTTPs using AES-256 bit encryption.
Data Security
- Data is encrypted at rest using AES-256 bit.
Authentication
- All access to systems is controlled by an authentication method involving a minimum of a unique user ID/password combination.
- Privileged users and administrators use strong authentication.
- Passwords may be changed on a periodic basis if requested by Customer.
- Passwords are never stored in clear text and are hashed with SHA-256, which is a one-way hash, so there is no key that can decrypt it to get the original password.
- Passwords must be complex and not easy to guess or crack.
- Effectiveness of authentication is tested on a regular basis to ensure that unauthorized authentication is not easily permitted.
- All activity performed under a user ID is the responsibility of the individual assigned to that user ID. Users do not share their user ID/password with others or allow other employees to use their user ID/password to perform actions.
- Use of generic user accounts is not permitted.
- Client connections are not allowed to retain access to a disrupted session, a session that has ended abnormally, or when a security-related parameter has been exceeded or violated. An abnormal ending of a session results in denied access and requires the user to begin the login process.
- Sessions time out after one hour.
System and Network Security
At the network level, UserZoom’s production environment is designed to provide maximum security based on industry-standard practices.
- The front-end application and web servers are isolated from other services such as DNS and SMTP.
- Inbound and outbound connections are denied unless expressly allowed
- The databases are further protected in a separate data island firewalled such that they can only be accessed by the front-end servers. No direct access from the Internet is allowed to the database servers.
- The system is monitored for unauthorized access or malicious traffic.
- Malware prevention technologies include, but are not limited to, desktop and gateway antivirus.
- Effectiveness of controls is tested on a periodic basis.
Host Security
At the host level, UserZoom servers are fine-tuned or “hardened”.
- Only necessary services and software are installed.
- Servers are regularly updated with the latest security patches.
- All management traffic to the servers is encrypted.
- Where applicable, malware detection tools are used.
- Administrative access to servers is restricted to authorized resources and occurs over a secure encrypted session. All administrative access is logged and monitored.
- Security auditing is turned on and logs are sent to a secure log collection system.
Logging and Monitoring
UserZoom logs security relevant events, including, but not limited to, login failures, use of privileged accounts, changes to access models or file permissions, modification to installed software or the operating system, changes to user permissions or privileges or use of any privileged system function, on all systems. Security logs are retained for a minimum of 1 year. Access to security logs is restricted to authorized staff. System clocks are synchronized with a NTP to ensure the accuracy of audit logs.
Availability of Ordered Software Services
UserZoom shall use commercially reasonable efforts to maintain each Ordered Software Service in a manner that minimizes errors and interruptions and to make such Ordered Software Service available 24 hours a day, seven days a week, but it is understood that an Ordered Software Service may be temporarily unavailable due to (a) maintenance, application of Updates (as defined below) and testing of systems, applications and networks within the Data Center (collectively, “Scheduled Maintenance”), or (b) Force Majeure Events. UserZoom will use all commercially reasonable efforts to provide Customer with at least 72 hours advance notice of any Scheduled Maintenance.
In the event of an outage of an Ordered Software Service other than Scheduled Maintenance where users experience no response (“Emergency Downtime”), UserZoom will follow its standard outage procedure set forth below:
- UserZoom will check audit logs to determine if any users were logged in at the time of the outage, and will promptly contact Customer and/or the effected user(s) to understand the impact
- Within 60 minutes of the identification of the outage, UserZoom will notify Customer via e-mail with a status and ETA for restoring service, if available.
- UserZoom will notify Customer via e-mail with status and ETA for restoring (if available), in accordance with UserZoom’s standard policies and procedures with respect to such
Configuration Management
Emergency, non-routine, and other configuration changes to existing UserZoom infrastructure are authorized, logged, tested, approved and documented in accordance with industry best practices for similar systems. Updates to UserZoom’s infrastructure are done to minimize any impact on the customer and their use of the services. UserZoom will communicate with customers when service use is likely to be adversely affected.
UserZoom applies a systematic approach to managing change so that changes to customer impacting services are thoroughly reviewed, tested, approved and well communicated. UserZoom’s change management process is designed to avoid unintended service disruptions and to maintain the integrity of service to the customer. Changes deployed into production environments are:
- Reviewed: Peer reviews of the technical aspects of a change are performed to ensure functionality, maintainability, and security.
- Tested: being applied will behave as expected and not adversely impact performance.
- Approved: to provide appropriate oversight and understanding of business impact.
Whenever possible, software changes are scheduled during regular Scheduled Maintenance/change windows. Emergency changes to production systems that require deviations from standard change management procedures are associated with an incident and are logged and approved as appropriate.
Service Level Agreement
Monthly Availability Credit
UserZoom will use all reasonable efforts to minimize downtime of the Ordered Software Services and to ensure a Monthly Availability Percentage of 99.5%, except as set forth below. The Monthly Availability Credit is calculated on an aggregate Monthly basis as follows:
Monthly Availability Percentage = (total minutes in the month – total number of minutes that the Ordered Software Service is inoperable in that month) / total minutes in the month
So long as UserZoom takes commercially reasonable steps to restore service as rapidly as possible, the Monthly Availability Percentage excludes (1) periods of Scheduled Maintenance; (2) problems caused by use by Customer of the Ordered Software Services in a manner not in accordance with the Documentation; (3) outages due to problems with Customer Content; (4) outages due to system administration, commands, file transfers performed by Customer representatives; (5) outages due to denial of service attacks, natural disasters, changes resulting from government, political, or other regulatory actions or court orders, strikes of third parties or labor disputes of third parties, acts of civil disobedience, acts of war, acts against parties (including carriers and UserZoom’s other vendors), and other force majeure items; (6) lack of availability due to untimely response time of Customer to respond to incidents that require its participation for source identification and/or resolution; (7) outages due to Customer’s breach of its material obligations under the Agreement; and (8) outages due to failure of the Customer Access Equipment or other Customer hardware or software.
Remedy
If the Monthly Availability Percentage is less than 99.5% in any given month, Customer will be entitled to receive a refund of the Subscription Fees attributable to that particular month as follows:
Uptime Percentage | Uptime Percentage |
97.50% - 99.49% | 5% |
95.50% - 97.49% | 8% |
92.00% - 95.49% | 10% |
Less than 92.00% | 15% |
Calculation of Refunds
The refund is calculated as a percentage of one-twelfth of the annual Subscription Fees paid in that year for the month during which the Data Center does not achieve the guaranteed 99.5% Monthly Availability Percentage set forth above.
Monthly Reports
Upon request, UserZoom will deliver to Customer’s designated principal contact person a report regarding the operations of the Data Center and the usage of the Ordered Software Service(s) in the prior month. Such report shall include, among others, a summary of the Monthly Availability Percentage for the Ordered Software Service(s) in the previous month, the amount of Scheduled Maintenance and Emergency Downtime.
Business Continuity and Backups
The AWS infrastructure has a high level of availability and provides UserZoom with the features to deploy a resilient IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. All data centers are online and serving customers; no AWS data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. UserZoom will back up Customer Content, and will create a full backup (complete data copy) at least once per week at a secure backup location. UserZoom will maintain all such backup files for up to (90) days post-subscription. Upon the Customer’s written request, UserZoom will restore data from the backup files. The backup recovery process itself shall not cause downtime of the applicable Ordered Software Service; however, such Ordered Software Service(s) will be inaccessible during the backup restoration process. UserZoom will ensure that daily incremental backups in combination with weekly full backups are complete so that no more than twenty-four (24) hours’ worth of data will be lost in the event of a disaster. UserZoom will restore data as requested by the Customer within 48 hours of the Customer’s written request.
Data Recovery
In the event of a disaster or failure, UserZoom will promptly respond to Customer’s requests for restoring data and Customer backups will be restored to the latest verified backup prior to the outage. UserZoom’s Recovery Time Objective (RTO) for the application is 48 hours and its Recovery Point Objective (RPO) is 24 hours. RPO refers to the amount of data at risk. This is determined by the amount of time between data protection events and reflects the amount of data that potentially could be lost during a disaster recovery. RTO refers to the targeted time to recover from a data loss event and how long it takes to return to service.